You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@manifoldcf.apache.org by Bert van Hoesel <bh...@scamander.com> on 2013/02/18 15:03:23 UTC

next step in implementing manifold: user authentication

Hi,

At the moment for the most part it is clear how to install, configure and populate manifoldcd and solr with authorized data. Using the added Manifoldcf 'search' url I can see I do not have access to any 'authorized' documents. Indeed I only see the non authorized documents.

Thus the next step would be an authentication mechanism on top of this. I have been looking 'around' but was not able to find enough pointers on how to accomplish this. Two 'obvious' paths seem to be available: JAAS or apache mod_authz. But maybe other solutions exists. Most preferable options are those with minimal (java) programming.

Biggest issue at the moment is that I can not figure out how authentication data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.

Re: next step in implementing manifold: user authentication

Posted by Bert van Hoesel <bh...@scamander.com>.

Hi Karl,

Thanks. That was the missing link I was looking for. So far I did not come across that variable name. The way I checked it works was the 'negation' way (not sure if the term s used correctly). I did not know what was needed so I presumed that if it is not set it will not authorize. And that seemed to work ;-) .

Thanks again. Up to the next step.

Regards,

Bert.

On 02/18/2013 04:01 PM, Karl Wright wrote:

Do you mean, what URL argument does the Apache Solr 4.x Plugin expect
to see the authenticated user ID? I would have thought you'd already
need that to confirm that everything works. But in case you didn't
find it anywhere, it's "AuthenticatedUserName".

Karl

On Mon, Feb 18, 2013 at 9:51 AM, Bert van Hoesel <bh...@scamander.com> wrote:

Hi Karl,

The construct this way is clear. I hoped it would be more 'transparent' to
the underlying processes.

The next question that raises is: what is the (environment) variable name
that ManifoldCF is expecting the authenticated username in? This is for me
the 'missing' link in the setup. I have no clue what (as an example) to
'append' to the url to convey the username to ManifoldCF. Or is this
configurable? If so where can I find it. As So far it has escaped my
attention.

Regards,

Bert.

On 02/18/2013 03:33 PM, Karl Wright wrote:

Hi Bert,

Typically the authenticated user name would get passed from
mod-auth-kerb to Tomcat (or whatever the app server is you are running
solr under) as an argument, maybe appended to the url. It's going to
be up to you to figure out how to do that. Others may have more
concrete suggestions.

Karl

On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <bh...@scamander.com>
wrote:

Hi Karl,

To be more precise. We are trying to get an 'sightly' customized Blacklight
fronted to connect to solr via ManifoldCF with authorization (obvious).
Blacklight is running from within Apache. So that would be a pre for
mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In
this construct it is still not clear to me how and if this is going to work.
Technically, I am still missing the link between the login on Apache and the
authentication / user 'handover' to the Tomcat environment for Manifold.

So if anyone can pitch in to describe their solution. It would be much
appreciated.

Regards,

Bert.

On 02/18/2013 03:09 PM, Karl Wright wrote:

Hi Bert,

Others, I hope, will chime in on this thread and let you know what
precise solutions they have adopted. But, in general, the solution
you use will depend on the environment you intend to run in. As you
point out, JAAS authentication is an option, should you be able to
find an appropriate JAAS plugin that does what you want. If you want
to do things via the Apache web server, I'd look at mod-auth-kerb
rather than mod-authz. Others, no doubt, have less generic
suggestions.

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com>
wrote:

Hi,

At the moment for the most part it is clear how to install, configure and
populate manifoldcd and solr with authorized data. Using the added
Manifoldcf 'search' url I can see I do not have access to any 'authorized'
documents. Indeed I only see the non authorized documents.

Thus the next step would be an authentication mechanism on top of this. I
have been looking 'around' but was not able to find enough pointers on how
to accomplish this. Two 'obvious' paths seem to be available: JAAS or apache
mod_authz. But maybe other solutions exists. Most preferable options are
those with minimal (java) programming.

Biggest issue at the moment is that I can not figure out how authentication
data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how
to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.

Re: next step in implementing manifold: user authentication

Posted by Karl Wright <da...@gmail.com>.

Do you mean, what URL argument does the Apache Solr 4.x Plugin expect
to see the authenticated user ID?  I would have thought you'd already
need that to confirm that everything works.  But in case you didn't
find it anywhere, it's "AuthenticatedUserName".

Karl

On Mon, Feb 18, 2013 at 9:51 AM, Bert van Hoesel <bh...@scamander.com> wrote:
> Hi Karl,
>
> The construct this way is clear. I hoped it would be more 'transparent' to
> the underlying processes.
>
> The next question that raises is: what is the (environment) variable name
> that ManifoldCF is expecting the authenticated username in? This is for me
> the 'missing' link in the setup. I have no clue what (as an example) to
> 'append' to the url to convey the username to ManifoldCF. Or is this
> configurable? If so where can I find it. As So far it has escaped my
> attention.
>
> Regards,
>
> Bert.
>
> On 02/18/2013 03:33 PM, Karl Wright wrote:
>
> Hi Bert,
>
> Typically the authenticated user name would get passed from
> mod-auth-kerb to Tomcat (or whatever the app server is you are running
> solr under) as an argument, maybe appended to the url.  It's going to
> be up to you to figure out how to do that.  Others may have more
> concrete suggestions.
>
> Karl
>
> On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <bh...@scamander.com>
> wrote:
>
> Hi Karl,
>
> To be more precise. We are trying to get an 'sightly' customized Blacklight
> fronted to connect to solr via ManifoldCF with authorization (obvious).
> Blacklight is running from within Apache. So that would be a pre for
> mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In
> this construct it is still not clear to me how and if this is going to work.
> Technically, I am still missing the link between the login on Apache and the
> authentication / user 'handover' to the Tomcat environment for Manifold.
>
> So if anyone can pitch in to describe their solution. It would be much
> appreciated.
>
> Regards,
>
> Bert.
>
>
> On 02/18/2013 03:09 PM, Karl Wright wrote:
>
> Hi Bert,
>
> Others, I hope, will chime in on this thread and let you know what
> precise solutions they have adopted.  But, in general, the solution
> you use will depend on the environment you intend to run in.  As you
> point out, JAAS authentication is an option, should you be able to
> find an appropriate JAAS plugin that does what you want.  If you want
> to do things via the Apache web server, I'd look at mod-auth-kerb
> rather than mod-authz.  Others, no doubt, have less generic
> suggestions.
>
> Karl
>
> On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com>
> wrote:
>
> Hi,
>
> At the moment for the most part it is clear how to install, configure and
> populate manifoldcd and solr with authorized data. Using the added
> Manifoldcf 'search' url I can see I do not have access to any 'authorized'
> documents. Indeed I only see the non authorized documents.
>
> Thus the next step would be an authentication mechanism on top of this. I
> have been looking 'around' but was not able to find enough pointers on how
> to accomplish this. Two 'obvious' paths seem to be available: JAAS or apache
> mod_authz. But maybe other solutions exists. Most preferable options are
> those with minimal (java) programming.
>
> Biggest issue at the moment is that I can not figure out how authentication
> data is propagated into ManifoldCF.
>
> Can anybody point me to some howtoo's or documentation of some kind on how
> to accomplish this authentication on top of ManifoldCF.
>
> Thanks in advance.
>
> Regards,
>
> Bert.
>
>
>

Re: next step in implementing manifold: user authentication

Posted by Bert van Hoesel <bh...@scamander.com>.

Hi Karl,

The construct this way is clear. I hoped it would be more 'transparent' to the underlying processes.

The next question that raises is: what is the (environment) variable name that ManifoldCF is expecting the authenticated username in? This is for me the 'missing' link in the setup. I have no clue what (as an example) to 'append' to the url to convey the username to ManifoldCF. Or is this configurable? If so where can I find it. As So far it has escaped my attention.

Regards,

Bert.

On 02/18/2013 03:33 PM, Karl Wright wrote:

Hi Bert,

Karl

On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <bh...@scamander.com> wrote:

Hi Karl,

So if anyone can pitch in to describe their solution. It would be much
appreciated.

Regards,

Bert.

On 02/18/2013 03:09 PM, Karl Wright wrote:

Hi Bert,

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com>
wrote:

Hi,

Biggest issue at the moment is that I can not figure out how authentication
data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how
to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.

Re: next step in implementing manifold: user authentication

Posted by Karl Wright <da...@gmail.com>.

Hi Bert,

Typically the authenticated user name would get passed from
mod-auth-kerb to Tomcat (or whatever the app server is you are running
solr under) as an argument, maybe appended to the url.  It's going to
be up to you to figure out how to do that.  Others may have more
concrete suggestions.

Karl

On Mon, Feb 18, 2013 at 9:28 AM, Bert van Hoesel <bh...@scamander.com> wrote:
> Hi Karl,
>
> To be more precise. We are trying to get an 'sightly' customized Blacklight
> fronted to connect to solr via ManifoldCF with authorization (obvious).
> Blacklight is running from within Apache. So that would be a pre for
> mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In
> this construct it is still not clear to me how and if this is going to work.
> Technically, I am still missing the link between the login on Apache and the
> authentication / user 'handover' to the Tomcat environment for Manifold.
>
> So if anyone can pitch in to describe their solution. It would be much
> appreciated.
>
> Regards,
>
> Bert.
>
>
> On 02/18/2013 03:09 PM, Karl Wright wrote:
>
> Hi Bert,
>
> Others, I hope, will chime in on this thread and let you know what
> precise solutions they have adopted.  But, in general, the solution
> you use will depend on the environment you intend to run in.  As you
> point out, JAAS authentication is an option, should you be able to
> find an appropriate JAAS plugin that does what you want.  If you want
> to do things via the Apache web server, I'd look at mod-auth-kerb
> rather than mod-authz.  Others, no doubt, have less generic
> suggestions.
>
> Karl
>
> On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com>
> wrote:
>
> Hi,
>
> At the moment for the most part it is clear how to install, configure and
> populate manifoldcd and solr with authorized data. Using the added
> Manifoldcf 'search' url I can see I do not have access to any 'authorized'
> documents. Indeed I only see the non authorized documents.
>
> Thus the next step would be an authentication mechanism on top of this. I
> have been looking 'around' but was not able to find enough pointers on how
> to accomplish this. Two 'obvious' paths seem to be available: JAAS or apache
> mod_authz. But maybe other solutions exists. Most preferable options are
> those with minimal (java) programming.
>
> Biggest issue at the moment is that I can not figure out how authentication
> data is propagated into ManifoldCF.
>
> Can anybody point me to some howtoo's or documentation of some kind on how
> to accomplish this authentication on top of ManifoldCF.
>
> Thanks in advance.
>
> Regards,
>
> Bert.
>
>

Re: next step in implementing manifold: user authentication

Posted by Bert van Hoesel <bh...@scamander.com>.

Hi Karl,

To be more precise. We are trying to get an 'sightly' customized Blacklight fronted to connect to solr via ManifoldCF with authorization (obvious). Blacklight is running from within Apache. So that would be a pre for mod-auth-kerb. But ManifoldCF is running from within a Tomcat instance. In this construct it is still not clear to me how and if this is going to work.
Technically, I am still missing the link between the login on Apache and the authentication / user 'handover' to the Tomcat environment for Manifold.

So if anyone can pitch in to describe their solution. It would be much appreciated.

Regards,

Bert.

On 02/18/2013 03:09 PM, Karl Wright wrote:

Hi Bert,

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com> wrote:

Hi,

Biggest issue at the moment is that I can not figure out how authentication
data is propagated into ManifoldCF.

Can anybody point me to some howtoo's or documentation of some kind on how
to accomplish this authentication on top of ManifoldCF.

Thanks in advance.

Regards,

Bert.

Re: next step in implementing manifold: user authentication

Posted by Karl Wright <da...@gmail.com>.

Hi Bert,

Others, I hope, will chime in on this thread and let you know what
precise solutions they have adopted.  But, in general, the solution
you use will depend on the environment you intend to run in.  As you
point out, JAAS authentication is an option, should you be able to
find an appropriate JAAS plugin that does what you want.  If you want
to do things via the Apache web server, I'd look at mod-auth-kerb
rather than mod-authz.  Others, no doubt, have less generic
suggestions.

Karl

On Mon, Feb 18, 2013 at 9:03 AM, Bert van Hoesel <bh...@scamander.com> wrote:
> Hi,
>
> At the moment for the most part it is clear how to install, configure and
> populate manifoldcd and solr with authorized data. Using the added
> Manifoldcf 'search' url I can see I do not have access to any 'authorized'
> documents. Indeed I only see the non authorized documents.
>
> Thus the next step would be an authentication mechanism on top of this. I
> have been looking 'around' but was not able to find enough pointers on how
> to accomplish this. Two 'obvious' paths seem to be available: JAAS or apache
> mod_authz. But maybe other solutions exists. Most preferable options are
> those with minimal (java) programming.
>
> Biggest issue at the moment is that I can not figure out how authentication
> data is propagated into ManifoldCF.
>
> Can anybody point me to some howtoo's or documentation of some kind on how
> to accomplish this authentication on top of ManifoldCF.
>
> Thanks in advance.
>
> Regards,
>
> Bert.
>